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We propose a semantically grounded theory of session types which relies on intersection and union 
types. We argue that intersection and union types are natural candidates for modeling branching 
points in session types and we show that the resulting theory overcomes some important defects of 
related behavioral theories. In particular, intersections and unions provide a native solution to the 
problem of computing joins and meets of session types. Also, the subtyping relation turns out to be 
a pre-congmence, while this is not always the case in related behavioral theories. 

1 Introduction 

Session types iflOl ITT1 1121 are protocol descriptions that constrain the use of communication channels 
in distributed systems. In these systems, processes engage into a conversation by first establishing a 
session on some private channel and then carrying on the conversation within the protected scope of 
the session. The session type prescribes, for each process involved in the session, the sequence and the 
type of messages the process is allowed to send or expected to receive at each given time. For example, 
the session type a.a.b associated with some channel c states that a process can use c for sending two a 
messages and then waiting for a b message, in this order. Names a and b may stand for either message 
types, labels, method names and so forth, depending on the process language one is considering. 

In most session type theories it is possible to specify protocols with branching points indicating 
alternative behaviors: for example, the session type a.T Db.S usually means that a process chooses to 
send either an a message or a b message and then behaves according to T or S depending on the message 
that it has sent; dually, the session type a.T □ b.S usually means that a process waits for either an a 
message or a b message, and then behaves according to the respective continuation. In these examples, as 
in the session type theories cited above, one is making the implicit assumption that the process actively 
choosing to follow one particular branch is the one that sends messages, while the process passively 
waiting for the decision is the one that receives messages. In practice, it is appropriate to devise two 
distinct branching operators, instead of a single one □ like in the examples above, to emphasize this fact. 
This is the key intuition in [|3j [141 ED where session types are studied as proper terms of a simple process 
algebra with action prefixes and two choice operators: the internal choice T @S denotes that the process 
decides which branch, T or S, to take and behaves accordingly; the external choice T + S denotes that 
the process offers two possible behaviors, T and S, and leaves the decision as to which one to follow to 
the process at the other end of the communication channel. 

The approach advocated in ||3j H4| recasts session types into well-known formalisms (process alge- 
bras) by fully embracing their behavioral nature. This permits the definition of an elegant, semantically 
grounded subtyping relation < for session types as an adaptation of the well-known must pre-order for 
processes (6l|5). Nonetheless, the resulting theory of session types suffers from a few shortcomings. 
First of all, the semantics of the external choice is a bit involved because in some contexts it is indis- 
tinguishable from that of the internal choice: the typical example, which is also one of the pivotal laws 
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of the must pre-order, is a.T + a.S ~ a.{T ®S) (we write ~ for the equivalence relation induced by <). 
As a direct consequence of this, the subtyping relation < fails to be a pre-congruence. Indeed we have 
a.b < a.b + b.c but a.b + b.d % a.b + b.c + b.d ~ a.b + b.(c®d). This poses practical problems (one 
has to characterize the contexts in which subtyping is safe) as well as theoretical ones (< is harder to 
characterize axiomatically). Finally, recent developments of session type theories have shown a growing 
interest toward the definition of meet and join operators over session types [13], which must be defined 
in an ad hoc manner since these do not always correspond to the internal choice and the external choice. 

In this paper we propose a language of session types which uses intersection types and union types 
for modeling branching points. The idea is that when some channel is typed by the intersection type 
a. T A b. S this means that the channel has both type a.T and also type b.S, namely a process conforming 
to this type can choose to send an a message or a b message and then use the channel as respectively 
prescribed by T and S. Dually, when some channel is typed by the union type a.T V b.S this means that 
the process does not precisely know the type of the channel, which may be either a.T or b.S. Hence it 
must be ready to receive both an a message and a b message. It is the message received from the channel 
that helps the process disambiguate the type of the channel. If the message does not provide enough 
information, the ambiguity is propagated, hence one pivotal law of our theory is a.TVa.S ~ a. (TV S). 

In summary, we argue that intersection and union types are natural, type theoretic alternatives for 
internal and external choices, respectively. Furthermore, they allow us to develop a decidable theory of 
session types that are natively equipped with join and meet operators, and where the semantically defined 
subtyping relation is a pre-congruence. 

Structure of the paper. We devote Section|2]to presenting a process algebra, so that we can formalize 
processes and correct process interactions in dyadic sessions (i.e., we consider sessions linking exactly 
two processes). We introduce session types in Section [3} where we use the formalization of processes 
from the previous section for defining their semantics. The section includes the description of an al- 
gorithm for deciding the subtyping relation, a type system for checking whether a process conforms to 
a given session type, as well as an extended example motivating the need to compute meet and join 
of session types. We conclude in Section |4] with a summary of the paper and a few hints at future re- 
search directions. For the sake of simplicity, in this paper we restrict ourselves to finite processes and 
finite types. Indeed, the relationship between branching operators and intersection and union types is 
independent of the fact that processes may or may not be infinite. On the contrary, dealing with infi- 
nite behaviors introduces some technical difficulties, briefly touched upon in Section |4| that we plan to 
address in a forthcoming and more comprehensive work. For the sake of readability, proofs and other 
technical details have been postponed to sections |A| and [B| 

2 Processes 

Let us fix some notation: we let a, b, ... range over some set JV of action names whose meaning is 
left unspecified; we let P, Q, ... range over processes and a, j8, ... range over actions. We distinguish 
input actions of the form a from output actions of the form a; we say that a is the co-action of a where 
a = a. We consider the simple language of sequential processes whose grammar is described in Table [I] 
Syntactically speaking the language is a minor variation of CCS without t's without relabeling, 
restriction, and parallel composition. The terms and 1 denote idle processes that perform no further 
action. The former is deadlocked, while the latter represents a successfully terminated interaction (since 
we are going to give processes a testing semantics, we prefer denoting success by means of a dedicated 



Luca Padovani 



73 



Table 1: Syntax of processes. 



Process P ::= 


(deadlock) 


Action a ::= a (input) 


| 1 


(termination) 


a (output) 


a.P 


(prefix) 




P®P 


(internal choice) 




P + P 


(external choice) 





Table 2: Operational semantics of processes (symmetric rules omitted). 

(rT) (r2) (R3) 

1^1 a.P-^P P(BQ — >P 
(r4) (r5) (r6) 

p^p/ pAp' pAp' 

P + e^^ + G P + Q^P 1 P + Q^a.P' 



term 1 rather than a special action as in other theories [5 ]). The term a.P denotes a process that performs 
the action a and then continues as P. The term P@Q denotes a process that internally decides whether to 
behave as P or as Q. Finally, the term P + Q is the external choice of P and Q and denotes a process that 
externally offers two behaviors, P and Q, and lets the environment decide which one it should follow. As 
we will see shortly, the decision of the environment is guided, as usual, by the initial actions performed 
by P and Q. In the following we will usually omit trailing l's and write, for example, a.b instead of 
a.b.l. We will also write for the set of all processes. 

The formal meaning of processes is given by a transition system, defined in Table [2] (symmetric rules 
have been omitted). The system consists of two relations, an unlabelled one — > and a labelled one 
where [i is a label is an element of J/ U ,jV U {/} and / jV U jV is a flag denoting successful 
termination. We extend the T involution to labels so that / = / and to sets of labels A so that A = 
{fx | /A G a}. Intuitively — > represents internal, invisible transitions of a process, while — > represents 
external, visible transitions of a process. We briefly describe the meaning of the rules in the following 
paragraph: rule (Rl) signals the fact that the process 1 has terminated successfully; rule (R2) states 
that a process a.P may execute the action a and reduce to P; rule (r3) (and the symmetric one) states 
that a process P (BQ internally decides to reduce to either P or Q; rule (R4) (and the symmetric one) 
states that internal decisions taken in some branch of an external choice do not preempt the other branch 
of the external choice. This rule is common in process algebras distinguishing between internal and 
external choices, such as CCS without t's [0 from which out process language is inspired. Rule (r5) 
(and the symmetric one) states that an external choice offers any action that is offered by either branch 
of the choice. Rule (r6) and its symmetric is possibly the less familiar one. It states that a process 
performing an output action may preempt other branches of an external choice. This rule has been 
originally introduced in J4[ where the message sent is detached from its corresponding continuation, 
which is thus immediately capable of interacting with the surrounding environment. Here, as in 0, 
we keep the message and its continuation attached together, so as to model an asynchronous form of 
communication where the order of messages is preserved. This is practically justified in our setting as 
we aim at modelling dyadic sessions. In the following we will sometimes use the following notation: we 
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write => for the reflexive and transitive closure of — >; we let => be the composition ==> — ^=>; we 
write P — if there is no P' such that P — > P'; we write P if P ==> P' for some P'; let init(P) = 

The next and final step is to describe how two processes "complete each other", in the sense that they 
interact without errors. Informally, P and Q interact without errors if, regardless of the respective internal 
choices, they are always capable of synchronizing by means of complementary actions or they have both 
successfully terminated. We formalize this as the following orthogonality relation between processes: 

Definition 2.1 (orthogonal processes). Let — > be the smallest relation between systems P\Q of two 
processes such that: 

P — >P' Q — >Q' P-^P' Q-^Q' 



P\Q — >P'\Q P\Q — >P\Q' P\Q — >P'\Q' 

and let =^> be the reflexive, transitive closure of — >. We write P \ Q —>*->• if there are no P' and Q' such 
that P | Q — > P' | Q'. We say that P and Q are orthogonal, notation P _L <2, ifP \ Q P' \ Q' implies 

P' -A and Q' -A. ■ 

As an example, consider the process P = a. (a + b). Then a.a, a.b, a.(a®b) are all orthogonal to P. 

The processes a and P are not orthogonal because a \ P — > 1 1 a +b and a + b — /->■ (both processes 
must be in a successfully terminated state when they reach a stable configuration). Also a. (a (Be) and P 
are not orthogonal because a.(a © c) | P — > a © c | a + b — > c\a + b —/->•. 

Orthogonality provides us with a notion of "test" that we can use for discriminating processes, in the 
spirit of the testing framework [5 ]. Informally, when Plgwe can see Q as a test that P succeeds to 
pass (since orthogonality is symmetric, we can also reason the other way around and see Pas a test for 
Q). Equivalently, we can see Q as a context that completes P. Then, we can say that two processes are 
equivalent if they pass the same tests, or if they are completed by the same contexts. In fact, it makes 
sense to interpret processes as the set of tests they pass and to define a pre-order between processes, 
which we call refinement, as the inclusion of their corresponding interpretations. 

Definition 2.2 (process interpretation and refinement). Let [P] = {Q G & \ P _L Q}. We say that Q is 
a refinement of P, notation P < Q, if and only if [Pj C ^Qj. We write ~ for the equivalence relation 
induced by <, namely ~ = < Pi <~~ . ■ 

Intuitively, Q is a refinement of P if any test that P passes is also passed by Q. Therefore, it is safe 
to replace P with Q as any context in which P operates correctly will continue to do so also with Q. The 
equational theory induced by refinement is closely related to the must testing pre-order |5]. In particular, 
we have P © Q < P since [[P © Q\ = [P] n \Q\ ■ This equivalence lets us appreciate the fact that the 
internal choice operator does correspond to an intersection when we inteipret processes as the sets of 
their orthogonals. Alas, under this interpretation the external choice operator does not correspond to a 
union, for three reasons: 

• There can be processes in \P + Q\ that are not contained in [P] U \Q\ . For example, d®b 6 
\a + b} \ la} U lb} . This is fairly common in every framework that accounts for non-deterministic 
entities. In our case, a © b is orthogonal to a + b, but not to a or b alone. 

• Sometimes [P + Q\ = \P © Q\ = [P] n [<2j, namely the external choice can be internal choice 
in disguise. For example, we have a.a + a.b ~ a.a® a.b ~ a.(a®b). The problem is that both 
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Table 3: Syntax of session types. 



Session type T ::= 


(bottom) 


1 1 


(top) 


end 


(termination) 


a.T 


(prefix) 


T AT 


(intersection) 


rvr 


(union) 



branches of the external choice are guarded by the same action a, and since it is the initial per- 
formed action to determine the chosen branch the process a.a + a.b does not offer an external 
choice, but is actually performing an internal one. A different instance of this phenomenon occurs 
when both branches of an external choice are guarded by output actions, because of rule (R6). For 
example, we have a + b 

• The fact that output actions can preempt branches of external choices can make such branches 
useless. For example a + b^za + l^a, since a + P — > a by rule (R6). 

A direct consequence of these subtleties related with the external choice is that refinement fails to be 
a pre-congruence. In particular, we are now able to justify the (in)equivalences a.b + b.d %a.b + b.c + 
b.d ~ a.b + b.{c@d) that we have anticipated in the introduction. 

Observe that there are pathological processes that are intrinsically flawed and cannot interact cor- 
rectly with any other process. For example, a © b has no orthogonals since it is not possible to know 
which message, a or b, it is ready to receive. As another example the process P = a@b has no orthog- 
onals: no process interacting with it can send an a message, since P — > b; at the same time, a process 
waiting for the b message from P may starve forever since P — > a. 



3 Session Types 

In this section we introduce our language of session types, we study their semantics, and we provide a 
subtyping algorithm and a type system for checking processes against session types. 

3.1 Syntax 

We let T, S, ... range over session types, which are defined by the grammar in Table [3] The types 
and 1 characterize channels which cannot be successfully used for any interaction. We postpone a more 
detailed discussion about © and 1 when we will formally define their semantics. For the time being, it 
suffices to say that and 1 represent the largest and smallest element in the lattice of session types we 
are about to define. The type end denotes channels on which no further action is possible. There is a 
fundamental distinction between end and the two types and 1: end denotes a successfully terminated 
interaction, while and 1 denote the impossibility to carry on any interaction; the type a.T denotes 
channels on which it is possible to perform an action a. Actions are the same ones that occur within 
processes, but the point of view is slightly different: a process executes an action, while a session type 
indicates the possibility or the obligation for a process to execute an action. We will appreciate more 



concretely this difference in Section 3.4 where we will see that the same process can be successfully 



checked against different session types. The type T AS denotes channels that have both types T and 5. 
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For example a.end A ft. end denotes a channel that has both type a.end and also type b. end, namely it can 
be used for sending both messages a and b. Finally, the type TVS denotes channels that either have type 
T or S. For instance the type a.end Vft.end associated with a channel means that a process using that 
channel must be ready to receive both a message a and a message b, since it does not know whether the 
type of the channel is a.end or ft.endQ To avoid clutter, in the following we will omit trailing end's and 
write, for instance, a Ab instead of a.end A b. end when this generates no ambiguity with the syntax of 
processes. 

Before giving a formal semantics to session types let us discuss a few examples to highlight sim- 
ilarities and differences between them and processes. It should be pretty obvious that © and A play 
similar roles: the ability for a process P@ Q to autonomously decide which behavior, P or Q, to perform 
indicates that the session type associated with the channel it is using allows both alternatives, it has both 
types. No such correspondence exists between + and V. For instance, consider P = a.b.a + a.c.b and 
T = a.b.aV a.c.b. The external choice in P is guarded by the same action a, meaning that after perform- 
ing action a the process may reduce to either b.a or to c.b, the choice being nondeterministic. As we have 
already remarked at the end of Section[2j one can show that P is equivalent to a.{b.a@c.b), where the 
nondeterministic choice between the two residual branches is explicit. The session type T, on the other 
hand, tells us something different: we do not know whether the channel we are using has type a.b.a or 
a.c.b and receiving message a from it does not help to solve this ambiguity. Therefore, after the message 
a has been received, we are left with a channel whose associated session type is b.a V c.b. At this stage, 
depending on the message, b or c, that is received, we are able to distinguish the type of the channel, and 
to send the appropriate message (either a or b) before terminating. In summary, P and T specify quite 
different behaviors, and in fact while T is perfectly reasonable, in the sense that there are processes that 
conform to T and that can correctly interact with corresponding orthogonal processes, the reader may 
easily verify that P has no orthogonals. 



3.2 Semantics 

Intuitively we want to define the semantics \T\ of a session type J as a set of processes, so that session 
types can be related by comparing the corresponding interpretations pretty much as we did for processes 



(Definition 2.2 1. To assist the reader with this intuition, consider the scenario depicted below 
ThP ( c — Q 0€[71 

where the notation T \- P means that P, which we will think of as the "server", is using the end point of 
channel c according to the session type T. We write T \- P instead of c : T h P since we assume that P 
acts on one channel only. The idea is that the interpretation of T is the set of "client" processes Q that 
can interact correctly with P when placed at the other end point of the channel c. 

Before we address the formal definition of [T] we must realize that not every set of processes makes 
sense when interpreted in this way: 

• if a server is able to interact correctly with all of the clients in the set X = {a,b}, then it is also 
able to interact correctly with a © b; 



no server is able to interact correctly with all of the clients in the set Y = {a,b} because this server 
would have to perform both an input on a and an output on b at the same time. 



'We are making the implicit assumption that "using a channel" means either sending a message on it or waiting a message 
from it and that no type-case construct is available for querying the actual type of a channel. 
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We conclude that neither X nor Y above are closed sets of processes that can serve as proper denota- 
tions of a session type: X and X U {d © b} are indistinguishable because every server P that includes X in 
its interpretation includes also X U {d © Z?}; F and ^ are indistinguishable because there is no server that 
includes Y in its interpretation just as there is no server that includes the whole & in its interpretation. 
We therefore need a closure operation over sets of processes, which we define in terms of orthogonal 
sets, defined as follows: 

Definition 3.1 (orthogonal set). Let XC^. Then X L = {P e & \ X C \P\ }. ■ 

Intuitively, the orthogonal of some set of processes X is the set of those processes that include X in 
their interpretation. If we go back to the problematic sets of processes described earlier, we have X 1 - = 
{a + b,a + b + c,a + b + c + d,...} and Y L = 0. Clearly the orthogonal of a set X flips the perspective, 
in the sense that if X is a set of "clients", then X L is the set of "servers" of those clients. Therefore, 
we define the closure as the bi-orthogonal (•) • For instance we have X LL = {d,b,d® b, . . .} and 
y-L-L _ ep> We sa y tnat a set % of processes is closed if it is equal to its closure, namely if X = X^^. 
The fact that (•) is indeed a closure operator is formalized by the following result: 

Proposition 3.1. The bi-orthogonal is a closure, namely it is extensive, monotonic, and idempotent: 

1. XCX 11 ; 

2. X C Y implies X LL C Y LL ; 

3. X XX =X XXXX . 

Proof. Observe that X L = {P £ @> | Vg G X : P _L Q}. Then (■) ± ) is a Galois connection (more 
precisely, a polarity) between the posets (2^*,C) and (2 5 *,D). Then it is a known fact that (•)~ LJ ~ = 
o is a closure operator on the poset (2 , C). □ 

Then we define the interpretation of session types in terms of closures of sets of processes, where we 
interpret A and V as set-theoretic intersections and unions. 

Definition 3.2 (session type semantics). The semantics of a session type is inductively defined by the 
following equations: 

ra = © 

m = & 

[end] = {1}^ 

\a.T\ = {a.P\PE{Tj} xl - 

piATi] = [7i]n[[72] 

piVTi] = ([TiJUlTiD^ 

As we comment on the definition of [•], it is useful to think of [T] as of the set of clients that a 
server using a channel with type T must be able to satisfy. Since denotes the empty set of clients, a 
channel typed by © is the easiest to use for a server, for the server is not required to satisfy any process. 
Dually, a channel typed by 1 is the hardest to use, for the server is required to satify any process. As 
this is impossible to achieve (there is no process that is dual of every process in J 2 ), no server can 
effectively use a channel typed by 1. From a type-theoretic point of view, and 1 represent two dual 
notions of emptyness: © means absence of clients, 1 means absence of servers. Later on we will see 
that any session type different from © and 1 is inhabited, in the sense that it admits at least one client 
and at least one server. A channel typed by end represents those clients that are satisfied even if they do 
not receive any further message. The process 1 clearly is a client of end, but it's not the only one: any 
process that guarantees the / action is a client of end. Hence we have [end] = {1, 1 + a, 1 +a + b, . . . }. 
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In particular, no process that is immediately able to emit an output is included in this set. Regarding the 
session type a.T, its clients are all those processes that perform the co-action a and whose continuation 
after a is in [Tj. If a is some input action a then any process in [a.T] sends a (and only a), whereas 
if a is some output action a then any process in [a.T] guarantees the input action a. For example we 
have a 6 [a.end] and a + b G pJ.end] but a@b [a. end]. Therefore, a server using a channel typed by 
a.T is required to provide action a and to continue the interaction as specified by T . The intersection 
type T\ A T2 denotes those channels that have both type 7! and type T2. Therefore the servers using these 
channels have the freedom to use them according to either 7\ or T2. That is why the clients of T\ A T2 
must be clients of both 7\ and T2. The union type T\ V T2 can be explained in a dual way with respect to 
the intersection. In this case, the server is unsure whether the channel has type T\ or T2 and consequently 
it must be able to satisfy (at least) all the clients of T\ and all the clients of T2 as well. Overall we see that 
intersections and unions of session types match in a quite natural way their set-theoretic interpretation. 
However, note that pi A T 2 j = pi] n [r 2 ] whereas in general we have \T\ V T 2 j 2 Pi] U {T 2 j. For 
example, a@b G [a. end V&.end] \ ([[a. end] U [&.end]). There is no need to use the closure operator on 
[7i] n P2] since it can be shown that this set is already closed. 

We use [•] for comparing session types. In particular we say that T is a subtype of S when T's clients 
are included in S's clients: 

Definition 3.3 (subtype). We say that T\ is a subtype of T2, written 7i < T2, iflT\} C lT 2 }. We write ~ 
for the equivalence relation induced by < namely ~ = < n <~ . ■ 

Unlike the refinement relation, subtyping turns out to be a pre-congruence with respect to all the 
operators of the session type language. 

Proposition 3.2. < is a pre-congruence. 



Proof. Immediate from the definition of < and Proposition 3. \ '2). □ 



Equally trivial is the fact that A and V provide us with a native way of respectively computing the 
greatest lower bound and the least upper bound of two session types. As regards A, this is obvious 
since \T\ A 7^] = pi] D \Tf^ by definition. For V, it suffices to observe that T\ < S and T2 < S implies 
pi] U [Tzj C [5]. Since (pi] U [r 2 ])- L - L is the smallest closed set that includes pi] U {T 2 j and since [5] 
is closed, we conclude [[71 V T 2 j = (pi] U [ri])- 1 - 1 C [5], namely T l \JT 2 < S. The following extended 
example shows the need to compute meets and joins of session types in some contexts. The availability 
of native unions and intersections within the language of session types makes this task trivial. 

Example 3.1 (global type projection). Global types 4721 12]/ are abstract descriptions of interactions 
between two or more participants from a neutral point of view. For example, the global type 

A — > B; A — > BOA — > B; A — > B 



specifies a system with two participants, here indicated by the tags A and B, which interact by exchanging 
messages 'a', 'b\ and 'c'. In a global type, an action such as A — > B indicates that A sends an 'a' 
message to B. Actions can be composed in sequences (with ;) and in alternative paths (with 0). Overall, 
the global type describes which sequences of interactions are possible, but not who is responsible for 
which choices (hence the use of a single operator □ in branching points). The implementation of a 
global type begins by projecting it on each participant, so as to synthesize the session type that each 
participant must conform to. In this example we obtain the following projections: the projection on A is 
a.b on the l.h.s. and a.c on the r.h.s.; the projection on B is a.b on the l.h.s. and a.c on the r.h.s. Since 
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A is the only sender, it is natural that its overall projection is a.b Ad. c ~ a. (b Ac). Since B is the only 
receiver, it must be prepared to receive the messages from A regardless of which messages A decides to 
send. Therefore, the correct projection of the global type on B is a.b\/ a.c ~ a.(b\/ c), which is the least 
upper bound of the projections on B of the two branches. In a language of session types with behavioral 
choices, this upper bound must be computed by an ad hoc operator, since a.b + a.c would be equivalent 
to a. (b (Be) which does not correspond to the correct projection for B. ♦ 
As we have anticipated, for a session type to make sense, its interpretation must be different from both 
and 3?. This condition roughly corresponds to non-emptyness: a standard "value" type is inhabited if 
there exists one value of that type; a session type is inhabited if it has at least one server and at least one 
client. This explains why there are two distinct "empty" session types. 

Definition 3.4 (viable session type). We say that the session type T is viable ifTy6Q,l. ■ 
Viability is a necessary and sufficient condition for T to be implementable: if T ^6 take any P £ IT}. 
From the hypothesis T ^6 1 and the fact that [T] is closed we also know that IT} 1 - / 0, because IT} 1 - = 
implies [r]]- 11 - = Hence there exists Q G \T} L . By definition of orthogonal set we conclude P _L Q. 
This discussion about viability emphasizes the importance of the orthogonal operation since the sets \T\ 
and IT} 1 - contain precisely those processes that interact correctly via a channel typed by T . We conclude 
this section by showing that the orthogonal operator over sets of processes corresponds to a syntactic 
duality operation over session types. 

Theorem 3.1 (dual session type). The dual of a session type T is the session type T obtained from T by 
turning every into t, every 1 into 0, every action a into the corresponding co-action a, every A into 
V, and every V into A. Inductively: 

= 1 

1 = 
end = end 
ctTF = a.T 

T\ A 72 = T 1 VT 2 
T { VT 2 = T\ AT 2 

Then IT} = {T}\ 



3.3 Subtyping Algorithm 

In this section we define an algorithm for deciding the subtyping relation. Since the interpretation of a 
session type is usually an infinite set of processes, we cannot hope to derive a brute force algorithm that 
is based directly on Definition |3.3| Fortunately, session types admit a particularly simple and intuitive 
normal form. Therefore, we split the decision algorithm in two parts: first we provide an effective 
procedure for rewriting every session type into an equivalent normal form, which happens to be unique 
up to commutativity and associativity of intersections and unions. Then, we provide a syntax-directed 
algorithm that decides the subtyping relation between session types in normal form. In what follows we 
will use n-ary intersections and unions of the form Aie{i «} Ti and Vie{i n} ^ i n place of T\ A • • • A T n 
and T\ V • ■ • V T n , respectively; as usual, we let /\ ;e0 7} = 1 and V; e 7} = by definition. We will also 
write T{ A S}$ to indicate that the A S part is present only when holds; similarly for T{ V S},f, . 
Definition 3.5 (normal form). We say that a session type T is in normal form if either 

T = f\ a.T a { A end} /eA or T = \f a.T a { Vend} /eA 

aGA aGA 

and T a is viable and in normal form for every a £ A. 
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Table 4: Simplification laws (symmetric and dual laws omitted). 



(E-PREFTX) 


(E-BOTTOM) (E-TOP) 




(E-DIST) 


a = 


o a r = o i at = r 

/ \ J. VL/ -LL / \ J. J. 






(E-INPUT-END) 


(E-INPUT-OUTPUT) 




(E-INPUT-OUTPUT-END) 


T a viable (fl6A) 


T u viable (flGA) 5 viable 




T a viable (aeA) S viable 


( y a.r ) A end = 


(y a.T a )Ab.S=<b 




( y a.T a V end) A b.S = b.S A end 




aeA 




aeA 


(E-INPUT-INPUT) 








( V a.r a {Vend} /eA ) 


A( V fcS*{Vend}/ eB ) = 


V 


a.{T a AS a ){ Vend} /eAnB 


aeA 




B 



A process using a channel whose associated session type is f\ aeA a.T a { Aend}/ eA may send any 
message a£A and it may decide to terminate if / £ A. After sending a message a, the process must 
continue using the channel as specified by T a . In a dual fashion, a process using a channel whose 
associated session type is \/ aeA a.T a { V end}/ eA must be ready to receive any message a £ A and it must 
also be ready to terminate immediately if no such message is received and / £ A. In case a message a is 
received, the process must continue using the channel as specified by T a . 

The simplicity of normal forms is due to the fact that some behaviors (like sending a message and 
receiving a message) are incompatible, in the sense that their combination (intersection or union) yields 
non-viable session types. Table [4] presents a set of laws that are used (from left to right) as basic simpli- 
fication steps in the computation of the normal form (symmetric and dual laws are omitted). Laws (E- 
PREFIX), (E-BOTTOM), and (E-TOP) state that non-viable types absorb prefixes and that and 1 are 
respectively neutral for V and A, as expected. Law (E-DIST) shows that common actions can be factored 
while preserving the combining operator. In particular, the dual law a.T V a.S ~ a. (TV S) distin- 
guishes subtyping from refinement and from the must pre-order, where the law a.P + a.Q ~ a.{P@ Q) 
holds. Rules (E-INPUT-END) and (E-INPUT-OUTPUT) show that no client that sends a message a £ A 
can be satisfied by a server that may decide to terminate the interaction or to send a message. This is 
because the action of sending a message is irrevocable (see rule (r6) in the transition system of pro- 
cesses). Rule (E-INPUT-OUTPUT-END) shows that among the clients that either send a message a £ A 
or terminate are those that can also receive message b. Finally, rule (E-INPUT-INPUT) shows that the 
clients of a server will send only messages that can surely be received by the server. For example, 
(a V bV c) A (b\/ c V d) ~Wc. The dual law concerns messages that can be sent by the server. Thus 
(a A b A c) V (b A c A d) ~ b A c: if the server is unsure whether the type of the channel is a A b A c or 
b Ac Ad, then it can only send those messages that can travel along the channel in both cases. 
Lemma 3.1. The laws in Tableware sound. 

The simplification laws, and the axiomatization of < that we are about to present, would be simpler 
if one could prove that A and V distribute over each other. We conjecture that the lattice of closed sets 
of processes ordered by set inclusion is indeed distributive (in the process language, the internal and 
external choices distribute over each other), but the proof appears to be non-trivial. 
Lemma 3.2 (normal form). For every session type T there exists S in normal form such that T ~ S. 

The proof of the normal form lemma is constructive and provides an effective procedure for rewriting 
every session type in its normal form using the laws in Table |4| What remains to do now is to provide 
the subtyping algorithm for session types in normal form. 
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Table 5: Subtyping algorithm. 



(S-BOTTOM) (S-TOP) 


(S-END) 


< /\ d.T a { A end} /eA \/ a.r fl { V 


end} /GA ^ 1 /\ a.r fl A end < \J b.S h Vend 


a£A aGA 


«GA feGB 


(S-INPUT) 


(S-OUTPUT) 


A C B T a < 5 (a£A) 


B C A T a < 5 fl (flGB) 


Va.r u {Vend} /eA < \/^{ Vend }^ 


B /\ A end} /eA < /\ A end} /GB 


aGA feGB 


«GA fcGB 



Table 6: Type checking rules. 



(T-NIL) 


(T-END) 


(T-SEND) 

ThP 


(T-RECEIVE) 

T ai \~Pi^ 


(T-CHOICE) 

ThP T\- Q 


(T-SUB) 

rhp s<t 


OhO 


end hi 


a.T h a.P 


\faj.T ai h ^a,-.^ 

(G/ iel 


ThP®Q 





Definition 3.6 (algorithmic subtyping). Let &e f/ie /ea^f relation defined by axioms and rules in Table^ 

Because of the interpretation of A and V as respectively intersections and unions, the algorithm looks 
embarrassingly obvious although it states well-known properties of channel types. In particular, rule (S- 
INPUT) states that it is safe to replace a channel c having some input capabilities (B) with another one d 
having fewer input capabilities (A C b), because any process originally using c will be ready to handle 
any message b G B. Dually, rule (S-OUTPUT) states that is safe to replace a channel c having some output 
capabilities (B) with another one d having greater output capabilities (A 5 B), since the process originally 
using c will exercise on d only a subset of the capabilities allowed on it. Observe that (S-OUTPUT) 
and (S-INPUT) are just specializations of the well-known laws T A 5 ^ T and T T V S concerning 
intersection and union types. Rules (S-BOTTOM) and (S-TOP) state obvious facts about and 1 being 
the smallest and the largest session types, respectively. Observe that rule (S-INPUT) is the counterpart of 
rule (S-BOTTOM) when A = and the larger session type is a union. Dually, the rule (S-OUTPUT) is the 
counterpart of rule (S-TOP) when B = and the smallest session type is an intersection. Rule (S-END) 
is required for the algorithm to be complete: it basically states the reflexivity of ^ on end. 

The subtyping algorithm is correct and complete with respect to the set of session types in normal 
form: 

Theorem 3.2. Let T and S be in normal form. Then T < S if and only ifT ^S. 
3.4 Type Checking 

We conclude with the definition of a type checker to derive judgments of the form T h P meaning that P 
is a well-typed process using a channel with type T. The type checker is defined by the axioms and rules 

in Table[6] We abbreviate a\.P\ H \-a n .P n with Y,ie{i,...,n} a i-Pi- 

Because of the similarities between processes and session types, at first sight the type checker looks 
as stating a trivial correspondence between the two languages, but there are some lurking subtleties. 
Rules (T-NIL), (t-end), and (T-SEND) are indeed fairly obvious: the deadlocked server can only use 
a channel typed by since no client can interact with it; the terminated server 1 can use a channel typed 



82 



Session Types = Intersection Types + Union Types 



by end since it has successfully ended any interaction; the server a.P sending a message a can use a 
channel typed by a.T if the continuation P uses the channel according to T. Rule (T-RECEIVE) concerns 
servers waiting for a message from the set {a, | i E I}. Intuitively, these servers can use channels typed 
by V ' ieI cii.Ti where each continuation Pj is well typed with respect to 7}. However, there is the possibility 
that two branches of the server are guarded by the same input action. Namely, it may be the case that 
cij = cij for some z, j € / such that i^j. As we know, this translates into the server performing an internal 
choice on how to handle such a message, nondeterministically choosing between the continuations Pj 
and Pj. Had we typed the server with respect to \/ ieI ai.Ti, we would be stating that the server is capable 
of dealing with all the clients in the sets [7} V 7)] , which is not necessarily the case. Therefore, in order 
for this typing rule to be sound, we require that the continuations Pi and Pj of different branches guarded 
by the same input action a,- = aj must be typable with respect to the same type T Uj = T a .. This way, 
no matter which continuation is selected, it will be well typed. Rule (T-CHOICE) presents a similar 
problem, since the server P(BQ may independently reduce to either P or Q. Therefore, we require both 
choices to be typable with respect to the same session type T. The attentive reader will have noticed a 
close relationship between this typing rule and standard type preservation results stating that (internal) 
reductions preserve the type: in this case, from the hypotheses T \- P @Q and either P@Q — > P or 
P@Q — > Q we easily deduce that the residual process is still well typed with respect to T. The last 
rule (T-SUB) is a standard subsumption rule, except that it deals with the type of the (implicit) channel 
used by the process and not with the type of the process itself. It states that if a process is well typed with 
respect to some session type T, then it is also well typed with respect to a smaller session type S. This 
is consistent with the intuition that it is safe to replace a value (in this case, a channel) with another one 
having a smaller type. 

Example 3.2. In the two derivations that follow, rule (T-SUB) is essential for rules (T-RECEIVE) and (T- 
CHOICE) to be applicable. 

end h 1 _ _ end h_l 
enc j h 1 end h 1 d\~a al\b<b b\~b dl\b<b 

aha dNb<b b<rb a Ab <b aAbha aAbhb 

aAbha aAbhb aAb\-g®b 

a.(aAb)\-a.a + a.b a. (a Ab)h a.(a@b) 

The fact that the two processes a.a + a.b and a.(d®b) are well typed with respect to the same type 
a.(aAb) provides further evidence that they are equivalent, as informally argued in Section^ ♦ 

We conclude our study with a soundness result for the type system. If two processes are typed by 
dual session types, then they are orthogonal. 

Theorem 3.3. IfThPandThQ, then P±Q. 

There is no hypothesis concerning the viability of T, but this is implied. The reader can easily verify 
that T h P implies T 76 1, coherently with the observation that no process is able to satisfy all processes. 
As a consequence the hypotheses TV- P and T h Q are enough to ensure that T and its dual are viable. 

4 Concluding Remarks and Future Work 

Previous formalizations of session types El [U [0 are based on the observation that session types are 
behavioral types. As such, they are eligible for being studied by means of the numerous and well- 
developed techniques for process equivalence, and testing equivalence in particular J6l|5]|. In this view 
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the different modalities in which actions are offered coincide with two known behavioral operators, the 
internal choice © and the external choice +. This approach, however natural and elegant, poses a few 
problems mostly due to the fact that the external choice is sometimes an internal choice in disguise: 
the language of session types may be difficult to understand to the programmer; the resulting subtyping 
relation is not a pre-congruence and is thus more difficult to use in practice; also, there are contexts 
where the computation of the greatest lower bound and of the least upper bound of session types arises 
naturally and these must be computed by means of meta-operators on session types lTT3l . 

In this work we propose an alternative language of session types which is not immediately related to 
some known process algebra. The basic idea is that the two choices can be naturally modeled by means 
of intersection and union types: the session type T AS describes a channel having both type T and type 
S and for this reason a process can freely use that channel as having either type; the session type TVS 
describes a channel having either type T or type S, therefore a process using that channel cannot make 
any assumption on it unless the exchanged messages provide enough information to disambiguate its 
type. The intersection and union operators are intuitive alternatives to internal and external choices, they 
provide a native mechanism to the computation of greatest lower bounds and least upper bounds, and the 
subtyping relation of the resulting theory turns out to be a pre-congruence. 

It is worth noting that, in our theory, the semantics of session types solely depends on the process 
language, in particular on the adopted communication model and on the orthogonality relation. Any 
other concept or result is derived by these two. In this work we have adopted a partially asynchronous 
communication model, where output messages must be consumed before the sender can engage into any 
other activity, and a symmetric orthogonality relation where both processes involved in a communication 
must terminate successfully if the interaction reaches a stable state. These choices led us to rediscover 
a familiar theory of session types [ 8 ] but it is plausible to expect that different interesting theories can 
be developed by varying these two seminal notions. For example, using a truly asynchronous commu- 
nication model, where an output action does not block subsequent actions, the relation a.b < b.a would 
be sound because any "client" of a.b will eventually receive the b message that the "server" of b.a sends 
ahead of time. Using a symmetric orthogonality relation might allow us to draw a closer comparison be- 
tween our theory and more standard testing theories EIH, where the notion of "test" is asymmetric. We 
remark here just a few planned developments of our theory: first of all, we want to extend the presented 
framework to deal with possibly infinite session types. In principle this would amount to using a fix point 
operator for determining the semantics of recursive session types as sets of possibly infinite processes. 
However, the model presented in this work may need some further technical adjustments. To see why, 
consider the infinite session type determined by the equation T = a.T which gives rise to the semantic 
equation X = {a.P | P € X}^^. Both and & are solutions of the equation, meaning that the semantics 
of a session type may not be uniquely determined. At the same time, neither of and & is a satisfactory 
solution because they denote non-viable session types, while we would expect \T\ to contain (recursive) 
processes that send an infinite number of a messages. We plan to investigate whether the semantic model 
of types described in 031. which shares many properties with ours, can be used to give a proper seman- 
tics to infinite session types. The second extension to the presented framework is to consider non-atomic 
actions of the form It and It where t is a basic type (such as int, bool, . . . ) and actions of the form IT 
and IT for describing delegations (the input and output of channels of type T). This will give rise to more 
interesting relations such as lint V Ireal ~ lint assuming int is a subtype of real) and will allow us 
to compare more thoroughly our subtyping relation with the existing ones [0. Finally, it looks like the 
presented approach can be easily extended to incroporate universal and existential quantifiers in session 
types, so as to model polymorphism and data encapsulation. In this way we hope to provide semantic 
foundations to polymorphic session types 0. 
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A Supplement to Section [2] 

In this section we solely introduce some handy notation related to processes that will be useful for the 
proofs in Section[B] First we define two relations, that we dub "may" and "must", distinguishing the fact 
that a process may output some message or is always capable to (i.e., must) perform some input or output 
action, regardless of its internal transitions. 



Definition A.l (may /must). Let p G JV U {/}. We say that P may output p, notation P \. p, ifP =^>. 
Let l US t /UJ / 'U{/}. We say that P must p, notation P Jj p, ifP =>- P' implies P' =^. We say that P 
may converge, notation P\., ifP =^ P' implies P \. \lfor some p; we say that P must converge, notation 
PJj, if there exists p such that P JJ. p. 
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We will sometimes say that a process P guarantees action }X if P JJ. ju. 

Then, we define the continuation of a process P with respect to an action pt as the combination of all 
the possible residuals of P after [i. This differs from the relation which relates P with one particular 
(not necessarily unique) residual of P after jU. 

Definition A.2 (continuation). Le£ P 77je continuation of P w/?/i respect to /I £j defined as P([l) = 

For example, consider P = a.P\ +b.P2- On the one hand we have P Pi and also P — — > P2 namely, 
there are two possibly different residuals of P after a due to two different branches of the external choice 
that are guarded by the same action. On the other hand, the (unique) continuation of P after a is Pi ©P>, 
which expresses the fact that both branches are possible. 



B Supplement to Section |3j 
B.l Semantics 

We begin by gaining some familiarity with the orthogonal and the bi-orthogonal operators and some of 
their properties, in particular we provide alternative characterizations for X 1 - and X^^, we prove that 
is anti-monotonic, and we state some known properties regarding orthogonal set and set-theoretic 
operators. 

Proposition B.l. The following properties hold: 

1. X^ = f] P exlPl- 

2. x^ = f]xap}l p l- 

3. XC7 implies Y L C X L ; 

4. X 1 - is closed; 

5. (XUF) 1 =X 1 nF 1 . 

Proof. We prove the items in order: 

1 . We have Q e X L iff X C {Qj iff P _L Q for every P G X iff Q e [Pi for every P G X iff Q € flpex PI ■ 

2. By item (1) we haveX^ = fWM = IIzcmM- 

3. By item (1) we have Y 1 - = HpeY^} Q fWPl = X\ 

4. From Proposition 3.1 1) we obtain X L C X- 1 - 1 - 1 by replacing X with X- 1 . From the same proposi- 
tion and item (3) we obtain X ±±J - C X L . We conclude X- 1 = X LLL . 

5. Byitem(l)wehave(Xuy) ± = np e zuyM = np e xMnnp eF [Pl=X ± nF ± . □ 

It should be observed that item (5) of the previous proposition can be generalized to arbitrary unions, 
namely that 

(U*O x = fK 

iel iel 

for arbitrary, possibly infinite family of sets X,-. The reader may also verify that A and V are indeed 
commutative and associative operators. These properties will be silently used in some of the proofs that 
follow. 
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We now present an auxiliary operator that is convenient in the definition of the semantics of session 
types. We write 5f«(X) for the set of processes that guarantee an a action and whose continuation after 
a is a process in X. Formally: 



& ifX x = 

{P G 8? | P JJ- a and P(a) G X} otherwise 



Using £?.(•) one can equivalently define the interpretation of a.T as \tt.T\ = ^a{\T\). In particular, 
the orthogonal of W a (X) can be computed simply by turning a into the corresponding co-action and by 
computing the orthogonal of X: 

Proposition B.2. %(X) X =^(X X ). 

Proof. We distinguish three cases: 

• (X = 0) Then X x = and we conclude & a (X) x = Q x = & = &a(0*) = &a(X x ). 

• (X x = 0) Then <g a {X) x = &> x =% = S%(0) = ^(X x ). 

• (X / and X x ^ 0) We have: 

Qe&a(X) x VP£& a (X):P±Q (X x /0) 

VP£& a {X):Qi),aAQ(a) ±P{a) 
G^aAVPG^ a (X) :Q(a)±P(a) (X/0) 
QtyaAQ(a)eX x 
Q£&a(X x ) 

namely %(X) X = ^(X X ). □ 
Corollary B.l. X closed implies ^ a {X) closed. 



Proof. By Proposition B.2 we have ( S a iX) xx = ^a{X x ) x = <g a {X xx ) = Sf„(X). □ 



We now have all the information for showing that \T\ is a closed set of p rocesses, so that we can 
rewrite \T\ into [[r]]- 1 - 1 and viceversa, whenever useful (Proof of Theorem 3.1 ). 

Proposition B.3. For every T, the set \T\ is closed. 

Proof. An easy induction on T . The case when T = end follows from the fact that 1 G [end]], hence 
[end]- 1 = [end]]. The case when T = T\ A T2 is proved using Proposition 



B.l 



□ 



Theorem B.l (Theorem 3.1 1. For every T, [T] = lTj x . 



Proof. By induction on T and by cases on its shape: 

. m = iij = ^=d> x = m x . 

. p] = [(D]=0=^-L = [i]-L. 

• [^ndj = {P g ^ I PJJ. /} = [end]- 1 . 



Pi a T 2 j = [Ti vr 2 ] = ([Ti] u [r 2 ]) xx = ([Tij-L u {T 2 j x ) xx = ([JjI-l-l n [r 2 fl^) x = (pi] n [r 2 ]) x 
[7iAr 2 ] x . 

PTW] = [Ti a f 2 ] = [Ti] n [r 2 ] = p\] x n [r 2 ] x = (pi] u [r 2 ]) x = [r, v r 2 f. □ 
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B.2 Subtyping Algorithm 

Lemma B.l. Let T = \J aeA a.T a { V end}/ GA and S = /\ a eA®-Sa{ A end}/ GA for some A C ,jV U {/} 
where T a and S a are viable for every a £ A. Then the following properties hold: 

1. P G \T\ if and only ifP\. and {}X \ P \. p} C A and P la implies P(a) G [P a ]; 

2. P G [5] if and only if Pi}- and AC{(i | P JJ. /i} a?i<i a G A implies P(a) G [5 a J. 

Proof. We prove the two items in order: 

1. Since [r] is closed we have P G [P] if and only if P G [P]]- 11 - if and only if [Pi] 1 - C [P]. Now 

[rf =(u^(M){ u i end i}/ e A > ) =n^(ra) ± { n i end i ± }^A=n^(M ± ){ n i end i}^A 

\C/GA / UGA <3GA 

in particular £ aeA a.<2a{ + 1}/ga G [P] 1 - for every Q a G [Pal" 1 . We deduce P\, and P | ;li implies 
\i G A and P J. a implies P(a) _L Q a . Since this holds for every Q a G [r,,]]- 1 we have \Ta\ L C [P(a)], 
which is equivalent to P(a) G [Pj. 

2. We have 

P] = nW){n[endl} /eA 

OGA 

from which we deduce that P G [5] if and only if Pij- and pt G A implies P JJ. and a G A implies 
P{a) G [5«]. □ 



Lemma B.2 (Lemma 3.1 1. The laws in Tableware sound. 



Proof. Laws (E-PREFIX), (E-BOTTOM), and (E-TOP) are left as easy exercises for the reader. Regarding 
rule (e-dist) we have {a.TAa.S} = [aJ]n[a.S] = PI )n = {P G & \ P J| a AP(a) G 

[Pi } n {P g ^ | P 4 « AP(a) g [5] } = {P g <?» I P 4 a AP(a) g [r] n [5] } = %,{{T\ n [5] ) = ^([P a 
51) = [a.(P A 5)1- Regarding rule (E-INPUT-END), let P = \/ aeA a.T a and suppose by contradiction that 
P G [P A end]. Then P G [Pj and P G [end]] which implies P| and {ju | P | ju} C A and P Jj. /. Since 
P 4 a and P JJ. / are incompatible properties we deduce A = 0. Then T ~ 0, which contradicts the 
hypothesis P G [P A end]]. The proof that rule (E-INPUT-OUTPUT) is sound is similar, except that in 
this case P G {b.Sj implies P JJ- b. Regarding rule (E-INPUT-OUTPUT-END), let P = \f aeA a.T a V end. 
We only need to prove T A b.S < end because T A b.S < b.S is obvious and A end < P A ft. 5 foll ows 
immediately from the fact that end < T and the pre-congruence of <. Let P G [P A b.S} . By Lemma B. 1 



we deduce P JJ. b and P\.. The only action in ,j¥ U { /} that may coexist with a guaranteed input action 
(b) is /. Since P| we have P J, /I implies /I = /, hence P JJ- /. We conclude P G [end]]. Re gardi ng 
rule (E-INPUT-INPUT) let P = \J aeA a.T a { Vend} /eA and 5 = \J he ^b.S b { Vend} /eB . By Lemma Brjwe 
have P G [PAS] if and only if P| and {/I | P | ju} C aTTb and P | a implies P(a) G [P fl ]] n [5 a ] if and 
onlyifPG [V/ aeA nB«-(r A5 a ){Vend} /eAnB ]. □ 

Some of the proofs that follow are defined by induction on the depth of session types. By "depth" of 
a session type we mean the maximum number of nested actions in it. For example a.b A c has depth 2, 
while a.b.c has depth 3. The session types 0, 1, and end all have depth 0. 

Lemma B.3 (Lemma|3.2|). For every session type T there exists S in normal form such that T ~ S. 



Proof. By induction on the depth of T and by cases on its shape. 
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Session Types = Intersection Types + Union Types 



• If T = 1 or T = (D or T = end, then T is already in normal form. 

• If T = a.T', then by induction hypothesis there exists S' in normal form such that T' ~ S'. We 
reason by cases on 5" for finding S in normal form such that T ~ S: 

- if 5' = 1, then T ~ a.t ~ 1; 

- if 5' = 0, then r ~ a.O ~ 0; 

- in all the other cases we have T ~ a. 5' which is in normal form. 

• If T = 71 A 72, then by induction hypothesis there exist Si and S2 in normal form such that 71 ~ Si 
and T2 ~ 52- We reason by cases on Si and S2 (symmetric cases omitted): 

- if Si = we have T ~ A S 2 ~ 0; 

- if Si = 1 we have 7 1 ~ 1 A S2 ~ S2; 

- if Si = \f aeA a.Si >a { Vend}/ eA and S 2 = \fbeB b -^2,b{ V end}/ eB , then by rule (E-INPUT- 
INPUT) we have r ~ Si AS2 ~ VoeAnB a -(^i,a^^2,o){ Vend}/ eAnB . By induction hypothesis 
there exists S a in normal form such that Si ;fl AS2. a ~ S a for every a G A HB, therefore T ~ 
VaeAnB «- 5 a{ v end} /eAnB . 

- if Si = Ao6A a-Si ;U { Aend} /eA and S 2 = AieB ^S 2 . fl { Aend} /eB , then 7 ~ Si AS 2 ~ A q ga\b «-Si,a A 
Ai, G B\A^- 5 2,fe A Aqgahb «-S fl { A end} /eAUB where S a is in normal form and Si >a AS 2 , a ~ S a for 
every a G ARB. 

- if Si = \/ aeA a.Si }a and S 2 = A^gb b.S2,a{ Aend}/ SB , then by rules (E-INPUT-END) and/or (E- 
INPUT-OUTPUT) we conclude r ~ 0. 

- if Si = \/ aeA a.Si ta Vend and S 2 = AfeeB^-^ai Aend}/ eB , then by rule (E-INPUT-OUTPUT- 
END) we conclude T ~ A^gb ^-^2,0 A end. 

• If T = Ti V ?2, then we reason in a dual fashion with respect to the previous case. □ 



Theorem B.2 (Theorem 3.2 1. Let T and S be in normal form. Then T < S if and only ifT^S. 

Proof. The "if" part is trivial since ^ axiomatizes obvious properties of <• Regarding the "only if" part, 
we proceed by induction on the depth of T and S and by cases on their (normal) form. We omit dual 
cases: 

• (T = (D) We conclude with an application of either (S-BOTTOM) or (S-INPUT) according to the 
form of S. 

• (S = 1) We conclude with an application of either (S-TOP) or (S-OUTPUT) according to the form 
of T. 



• (T = \J aeA a.T a { Vend}/GA and S = VfceB^-'S'&'l" Vend}/ eB ) From the hypothesis T < Sand Lemma B.l 
we deduce A C b and T a < S a for every a G A. By induction hypothesis we derive T a ^ S a for every 

a £ A, and we conclude with an application of rule (S -INPUT). 

• ( T = \laek a -Ta{ Vend} /eA and S = f\ heY} b.S b { Aend} /eB ) For every P G [T] we have {n \ P I 
11} C A and / B C {/^ | T 5 JJ, 11} from which we deduce A = B = {/}. We conclude with an 
application of rule (S-END). 

• (T = AaeA^- T a{ Aend} /eA and S = l\ b ^b.S b { Aend}/ eB ) For every P G [T] we have A C {/j, | 
T 5 J|. /J.} implies B C {/i | P JJ, /i} meaning B C A. Furthermore, 7J, < Sb for every & G B. By 
induction hypothesis we deduce Tb ^ S b for every b G B, and we conclude with an application of 
rule (S-OUTPUT). 
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• ( T = AaeA a - T a{ Aend} /eA and S = \/ heB b.S h { Vend} /eB ) For every P G [P] we have A C {fi \ 
P JJ- n} implies {/I | P J, n} Cb, from which we deduce / G AflB. We conclude with an application 
of rule (S-END). □ 



B.3 Type Checker 



Theorem B.3 (Theorem [33]). IfThPandThQ, then P _L 0. 

Pro of. I t is sufficient to show that P h P implies P G [P]] 1 " for some generic P and P. Then, by Theo- 
we have Q G [TJ- 1 = [P]]- 11 " = [P] and we conclude P _L 2 by definition of orthogonal set. We 



rem 



3.1 



prove that T \- P implies P G \T\ L by induction on the derivation of T h P and by cases on the last rule 
applied: 

• (T-NIL) Then P = and P = and we conclude Oe^ = x = [Q]]- 1 . 

• (T-END) Then P = 1 and P = end and we conclude 1 G [end]]- 1 = [end]] = {P G ^ | P ^ /}. 

• (T-SEND) Then P = a.<2 and T = a.S for some Q and 5 such that S h £2- By induction hypothesis 
we deduce 2 G [5]]- 1 . We conclude P G [P]] 1 - = ^(M)- 1 = ^(M- 1 ) since P J| a and P(s) = 2 G 

• (T-RECEIVE) Then P = £ iS /a,.P, and P = \J ia ai.T a , where P fl/ h P for every z G /. By induc- 
tion hypothesis we have p G [PaJ -1 for every i G /. We conclude P G P x = (SI i£i a i-T ai ) 1 ~ = 
(U e /^([r ai I)) X±± = (Ue/^Xkl))^ = a-e/^d^l)^ = rite/^-d^F) because P 4 <H 
and P(ai) = e^^.Pj G lT at j x for every i G /. 

• (T-CHOICE) Then P = P l ®P 2 where P h P for i G {1,2}. By induction hypothesis we deduce 
P G [P]]- 1 for / G {1,2}, hence we conclude P G [P]]" 1 because IT} 1 - is closed. 

• (T-SUB) Then S h P for some 5 such that P < 5. By induction hypothesi s we have P G [S] 1 - hence 
we conclude P G [P]] 1 - since T < S implies {Sj 1 - C [P]] 1 - by Proposition pTlfe). □ 



